■ Understanding how and why the exposure of data occurred will help prevent future incidents from happening.

Despite having experienced a breach or knowing they are at risk for one, many health care organizations do not have proper measures in place to prevent future breaches or mitigate damages in the event another one were to occur.

This was a major finding from a report by the Ponemon Institute prepared on behalf of Experian Data Breach Resolution. The report examined the consequences of breaches and the steps organizations are taking to prevent and lessen the damages from future incidents. It found that although they have a clear understanding of the risks and the potential consequences, which include violating the Health Insurance Portability and Accountability Act, many aren’t taking the right steps to protect themselves. HIPAA requires organizations to assess their risk and have a response plan in place.

The issue could be related to tight budgets or other limited resources, said Michael Bruemmer, vice president at Experian Data Breach Resolution. Another problem is that many organizations, including physician practices, have never envisioned themselves being the victim of a breach in the first place. “Sometimes organizations need to experience an incident to understand firsthand the impact. We hate to see that happen,” he said.

The report, published April 23, examined breaches in several industries. Health care was included in the top three industries examined. Physician organizations were not specifically delineated.

Of the health care organizations surveyed, 94% were breached in the past two years. In the first quarter of 2013, 875,000 health care records have been exposed through breaches, according to the Ponemon Institute.

“We are off to another year of significant health care breaches just based on the last 12 months trending and data from this survey,” Bruemmer said. He said he was “dumbfounded” that “the numbers aren’t hitting home to people even when they’ve had a breach.”

Thirty-nine percent of companies surveyed said they did not have a response plan in place even after they have experienced a breach. The survey also found that those that do have a plan may be missing crucial components.

Organizations should have a mechanism in place for learning how the breach occurred so that vulnerabilities can be addressed and future breaches avoided. The survey found that only 19% of the organizations have tools to determine the nature and cause of a breach.

“The study findings show that the organizations need to prioritize preventing future breaches and better manage postbreach response,” said Larry Ponemon, PhD, chair and founder of the Ponemon Institute, in a statement.

Health care considered easy target

A separate report, the annual Verizon Data Breach Investigations Report, released April 23, underscored the need to determine how breaches have occurred.

“We believe the better we understand our adversaries, the more we can combat the problem,” said Suzanne Widup, senior consultant with the Verizon Risk Team.

DID YOU KNOW: Nearly 900,000 health records were exposed in security breaches in the first three months of 2013.

Verizon has been publishing its annual breach investigation report since 2008. What started as an analysis of breaches affecting Verizon business clients has expanded to include data from 19 agencies across the world that respond to and investigate cyber crimes. More than 47,000 breaches spanning multiple industries were analyzed for the report. Because it includes only those breaches reported to and investigated by the participating agencies, the report is not a comprehensive look at health care data breaches. But it does expose vulnerabilities that lead to breaches caused by cyber criminals.

Widup said most of the health care-related breaches caused by cyber criminals occur because organizations lack the safeguards to protect themselves. “They are considered easy targets,” she said.

The criminals aren’t looking for health information, but rather financial information that is found within the practices’ records. Physicians “are used to being focused on patient privacy and keeping that information really secure and protected,” Widup said. “They’re not so much expecting to be attacked because of the credit [card information] that they keep and that sort of thing. So the fact they are targeted for something they are not expecting leaves them more vulnerable if they are not putting their defenses where they are likely to be targeted.”

Executing the plan

Every practice should have an incident response plan in place, despite the fact that the HIPAA does not spell out what it should look like. The problem is that many small practices don’t know what an incident response plan is, said Rick Kam, president and co-founder of ID Experts, a data security consulting firm in Portland, Ore.

For small practices, “the idea is to simplify,” Kam said. “Don’t get caught up in the complexity and/or the fear of not doing something because it sounds complex.”

At a basic level, the plan should include steps for determining the cause and scope of the breach, identifying and reaching out to those affected and the Dept. of Health and Human Services’ Office for Civil Rights, mechanisms for working with those affected, and plans for responding to questions.

Bruemmer said physician offices not only should have a plan in place, they also should practice the plan. Every person in the practice should know his or her role in the event of a breach.

Even though an outside agency may be hired to handle the notification and investigation, internal employees need to know whom patients should be directed to when they contact the practice with questions, Bruemmer said.

The Experian survey found that a majority of organizations don’t provide clear communication and notification to those affected by the breach. Only 21% had communications teams trained to assist in responding to questions, and 30% said they have trained their customer service personnel how to respond to questions about the breach.

Bruemmer said the person in charge of the incident response plan should be given authority to make decisions on his or her own as opposed to waiting for approval each time a decision needs to be made. Part of the incident response plan should include federally mandated notification to those affected by the breach and HHS’ Office for Civil Rights when the breaches affect more than 500 patients. Those notification requirements come with deadlines.

Finally, Bruemmer said, when creating an incident response plan, organizations need to do a role reversal to determine steps to mitigate damages to its reputation.

“If I put myself in the position of being breached, [think of] how would I like to be treated,” he said.